In conventional computer-based authentication, a user provides a username and password to login to a protected system. Such protected systems include banking websites, shopping websites, personal computers, portable devices, medical-records databases, and email accounts, to name a few.
One typical approach to computer-based authentication uses a separate username and password to authenticate to each protected system. A user wishing to make a transfer of funds between accounts on his banking website, for example, provides a username and password associated with that website. The same user, when wishing to login to his email account, provides a different username and password for access to that system. This approach often results in users having to remember a large number of usernames and passwords. Remembering a large number of usernames and passwords is such a daunting task that many users resort to writing down their passwords, saving their passwords (usually in an insecure manner), or requesting to reset their password each time they revisit to a system. This can be inconvenient and insecure.
Another approach uses a single-sign-on service. By providing authentication through a single-sign-on service, protected systems can provide their users with a single-sign-on username and password for authenticating to multiple systems. Using the previous example, the user wishing to access his banking website can use the same single-sign-on username and password that is used for his email account, thus requiring the user to remember or locate only one username and password. While this is helpful to users, this one username and password is made much more powerful by the use of a single-sign-on service. A malicious actor may gain access to many resources if the username and password are compromised or stolen. As the single-sign-on username and password may give full access to a user's banking website, email, and other resources, all of these systems can be compromised if one username and password is compromised.